[apparmor] [PATCH] profiles: Add attach_disconnected flag to dnsmasq profile

Tyler Hicks tyhicks at canonical.com
Tue Apr 12 21:27:32 UTC 2016


When Ubuntu made the jump from network-manager 1.0.4 to 1.1.93, the
dnsmasq process spawned from network-manager started hitting a
disconnected path denial:

  audit: type=1400 audit(1460463960.943:31702): apparmor="ALLOWED"
    operation="connect" info="Failed name lookup - disconnected path"
    error=-13 profile="/usr/sbin/dnsmasq"
    name="run/dbus/system_bus_socket" pid=3448 comm="dnsmasq"
    requested_mask="wr" denied_mask="wr" fsuid=65534 ouid=0

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
 profiles/apparmor.d/usr.sbin.dnsmasq | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
index f7834e9..34e16cc 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -12,7 +12,7 @@
 @{TFTP_DIR}=/var/tftp /srv/tftpboot
 #include <tunables/global>
-/usr/sbin/dnsmasq {
+/usr/sbin/dnsmasq flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dbus>
   #include <abstractions/nameservice>

More information about the AppArmor mailing list